The hook
Tomcat often reaches production through a framework parent, a BOM, an embedded servlet container, or a base image rather than a single obvious dependency line. CVE-2025-48989 is an HTTP/2 denial-of-service advisory; FixVibe treats a repo match as dependency evidence, not proof that HTTP/2 is enabled or reachable on the deployed service.
Πώς λειτουργεί
The repo check looks for Tomcat Coyote and embedded-core Maven coordinates in Java build files. Exact declared versions produce the strongest signal; compatible manifest ranges are reported when they clearly allow an affected Tomcat release line. The finding stays scoped to dependency evidence and does not claim FixVibe sent HTTP/2 reset traffic.
The blast radius
If an affected Tomcat runtime is deployed with the vulnerable HTTP/2 path exposed, attackers may be able to drive resource exhaustion and denial of service. A repo match should trigger dependency-tree review, artifact rebuild, and runtime verification before anyone treats it as confirmed production exposure.
// what fixvibe checks
What FixVibe checks
FixVibe repo scans look for high-confidence security patterns and dependency risk in source context. Reports identify the affected area and recommended fix. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.
Ironclad defenses
Upgrade the active Tomcat release line to 9.0.108, 10.1.44, 11.0.10, or newer. Update direct Tomcat artifacts, BOMs, Spring Boot-managed versions, Gradle constraints, or container base images as needed, then rebuild and redeploy the actual WAR, JAR, or image.